Password with real words (like Diceware) really safe?

Comments

If you only reject the occasional word then it shouldn't have much of an effect. But it is important to re-roll the dice when you reject a word. You shouldn't look for the next acceptable word on the list. You need to re-roll the dice.

This seems like a good thread to add this: the number of recommended words is now up to six.

"I had previously written that longer Diceware passphrases might be vulnerable by about 2014. Well it's 2014. Today criminal gangs probably have access to more computing power then the NSA did when this page first appeared. So I am upping my passphrase length advice by one word."

It is important to note how the passphrase is hashed. If, for example, something like scrypt is used or the hashing involves HMAC-SHA512, such as in PBKDF2-HMAC-SHA512 then GPUs don't do much for you.

For example (shameless plug), extrapolating from the results that hashcat has achieved against the 1Password Master Password[1], a fleet of GPUs would still only be making on the order of 10s of thousands of guesses per second.

since yesterday I'm reading the good blogpost and documentation from agilebits.
And now I've I bit confused or concerndt about the entropy of my passwords.

I've been using "randomly" created Passwords since decades for my login and other important stuff. So it is not hard for me to rember a 25 char password.
I use a cmdline tool (mkpasswd / pwgen) which generates good passwords which are easy to rember for me.
Example "Vici0caolua5Epae"
But the entropy is not as high as I would expected, the structure of this Passwords is easy for me to rember. If I would use 1Password generated like "IpM9hTURjWgkonvM" it would be harder for me.

Since I use serveral calls to pwgen and pick differnt "passwords" to combine my password and even alter chars, I've using always a different lenght between 10 up to 25 chars. So I'll guess it is still safe.

So I ask my self is diceware safer then pwgen ? Since I've getting older "the availbilty " of the password in my mind is also a reason to think about.

The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

At the moment, I don't know the system in use by the tool you are using, but Diceware is a fairly straightforward calculation. Please see my post #9 in this thread for a comparison between Diceware and 1Password's generator. For passwords you need to remember, we recommend Diceware.

If someone knew the diceware word list I used, why couldn't they brute force every possible combination of the words in the list in which case "randomness" would be neutralized? What am I missing? Would it really take that long with today's processors?

Yes it would, so long as you choose a passphrase of sufficient length (which depends upon the context). Diceware is based on rock-solid mathematics. However, Jeff suggests near the end of his Toward Better Master Passwords blog post that you might enhance your diceware passphrase by adding in a made-up "password" like 2dM&P. If that feels right to you, then do it. However, if you use identical or similar made-up passwords in all of your otherwise-random passphrases, the gain may not be as much as you would suppose.

@‌clive
You could say exactly the same thing about normal passwords. If someone know the alphabet that I used to create my password (English is the most common language on the net so this is likely) then why couldn't they brute force every possible combination of the letters/numbers/symbols in the list?

The answer is, of course, that they can, if they're willing to commit the necessary time and resources to the task.
For the standard diceware list and a 6 word phrase, this would be 7776^6 = 2.2E23 possible phrases.
Let's say that the diceware list averages 5 characters per word (I have no idea what it is, but this will do for an example), then the equivalent would be a 30 char password. Using upper and lower alphas, numerics and 10 common punctuation symbols we'd have 72 symbols so 72^30 = 5.2E55 possible passwords.

So, if you simply look at length of password then a diceware password is weaker because there's a lot of redundant information. However, remembering 6 words is a hell of a lot easier than remembering 30 random chars.

So the question is, is 2.2E23 choices strong enough? If @jpgoldberg‌'s quote that @khad mentioned a couple of posts up is correct then hashcat is trying 10s of thousands of password a second against the agilekeychain format. Let's give it the benefit of the doubt and say 100,000. That means that it would take:

2.2E23 / 1E5 = 2.2E18 seconds = 69.7 billion years to scan the entire password space. Half that to get a 50% chance of a crack.
I'd say that this is unlikely given that, as far as we know, the universe is only 13.5 billion years old.

Im not sure but I think we should not be considering how many characters there are in a diceware generated password, since everyone who uses the system has the same 7,776 words. and they will try using combinations of only these words.

@JosueAlexander‌
You missed the point of what I said. For a 6 word phrase randomly chosen from the 7,776 word list you have 2.2E23 combinations. To brute force the whole list would taken 7 billion years @ 1 million guesses per second (very fast against a PBKDF2 hashed password). Average crack time would therefore be about 3.5 billion years.
Not something to worry about really provided you use a decent length pass phrase.